FedEx emails with new trojan variant
August 25, 2010 5 Comments
MX Lab intercepted a new campaign of FedEx emails that have a trojan attached to the message. The email is sent from the spoofed address “Fedex Support, Trisha Kimble” <firstname.lastname@example.org> – please note that the name of the person can change.
Fedex Invoice Copy N25524750
Fedex Item Status N4347526
Fedex Shipment Status N0919106
Fedex Tracking Number N7897143
The body of the email does not contains any text but only an embedded image.
The email has the attachment FEDEXInvoiceEE438252OP.zip. The 36 kB large file FedexInvoice_EE776129.exe is extracted from the zip archive.
At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the trojan. The trojan is known as W32/Agent.JBI (Authentium), Suspicious:W32/Malware!Gemini (F-Secure), TrojanDropper:Win32/Oficla.T (Microsoft), a variant of Win32/Kryptik.GHC (NOD32).
Virus Total permlink and MD5: 2587d5dc4b18e652532e556ac26f2290